V8 Uninitialized Use Allows Remote Code Exec in Chrome <=150.0.7871.46
CVE-2026-14405 Published on July 1, 2026

Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

NVD

Weakness Type

Use of Uninitialized Variable

The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.


Products Associated with CVE-2026-14405

Want to know whenever a new CVE is published for Google Chrome? stack.watch will email you.

 

Affected Versions

Google Chrome: